The operational impact of ransomware attacks in 2019 has been devastating for public and private sector global organizations which were not properly prepared.
From Baltimore, Maryland, shutting down their city government operations and spending over $18 million to recover systems, to La Porte County, Indiana paying a $130,000 ransom in a Ryuk Ransomware attack, a new story seems to surface almost daily in the USA.
HealthITSecurity offers an article with the headline: “71% of Ransomware Attacks Targeted Small Businesses in 2018”. Here’s an excerpt: “About 70% of ransomware attacks in 2018 targeted small businesses, with an average ransom demand of $116,000, according to a recent report from Beazley Breach Response Services.”
As political pressure mounts, there is even a resolution by mayors to not pay any more ransoms to hackers.
“Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit…” the adopted resolution reads.
But how can organizations prepare in advance to avoid the dangers and cyber-threats posed by ransomware?
Start With Tested Backups
Despite all the bad news, there are positive stories with happy endings – even when ransomware or other malware strikes. The reason these stories end well is that many organizations have backups of their data that are tested and can be used to quickly restore operations.
For example, take this story from Ohio: “Computers and servers in Richmond Heights City Hall were infected by malware July 1. Just a day later, systems were returned to normal thanks to backups and a rapid response from the IT team.”
So what steps are needed to be prepared regarding backups? Start by asking these questions:
- When was the last time you backed up your home PC with your most important data? (Please double-check your answer with a genuine date and data.)
- When was the last time your work laptop, desktop and/or smartphone had a usable backup? (Note: Are you sure it worked properly, and the data is available now?)
- Pick a critical computer system at work that you know is backed up. When was the last time your network/infrastructure team did a full restore of data using the backup tapes/ disks/data?
Responding To Cyber-Incidents, Such As Ransomware
Most public and private-sector organizations look to the National Institute of Standards and Technology (NIST) to do the required research to provide guidance and direction on incident response, in the same way that they developed, released and updated the Cybersecurity Framework.
NIST SP 800-184 is a guide that came out in December 2016 regarding cybersecurity event response and recovery. The title of the document is “Guide for Cybersecurity Event Recovery.”
The purpose of this NIST document is to support organizations in a technology-neutral way in improving their cyber event recovery plans, processes and procedures, with the goal of resuming normal operations more quickly. This document extends existing federal guidelines regarding incident response by providing actionable information specifically on preparing for cyber event recovery and achieving continuous improvement of recovery capabilities. It points readers to existing guidance for recovery of information technology
NIST SP 800-184 starts this way: “Preparation enables rapid recovery from incidents when they occur and helps to minimize the impact on the organization and its constituents. Additionally, continually improving recovery planning by learning lessons from past events, including those of other organizations, helps to ensure the continuity of important mission functions.”
NIST 800-184 stresses the importance of being prepared to recover from a cybersecurity event. The upfront work that can be done to ensure proper plans are in place to recover from cybersecurity events in a timely manner is very important. This includes having not only technical plans in place, but also organizational and communication plans in place so that there is a well-defined process to follow after a cybersecurity event occurs. This preparation leads to much less confusion during the recovery process. Another important topic is the notion of continuous improvement of the recovery plan. Performing regular tests and exercises of the recovery plans helps to ensure that an organization can successfully recover from a cybersecurity event after it happens.
Resources to Help with Ransomware
While the threat and urgency surrounding solutions to our ransomware emergency have surfaced, there is a growing focus on one of the most prominent counter-developments called the “No More Ransom Project”.
Here’s some background on the “No More Ransom Project” from their website
Law enforcement and IT Security companies have joined forces to disrupt cybercriminal businesses with ransomware connections.
“The ‘No More Ransom’ website is an initiative by the National High Tech Crime Unit of the Netherlands’s police, Europol’s European Cybercrime Centre and two cybersecurity companies — Kaspersky Lab and McAfee — with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.”
The “No More Ransom Project” Web portal offers many resources, including: A Crypto Sheriff tool to help identify what type of ransomware you may be infected with, plenty of ransomware prevention advice, a Q&A section which includes the history of ransomware and even some decryption tools to help with the fix for many types of ransomware. There is also a link to report a cybercrime.”
The growing threat of ransomware requires urgent action from every individual and organization that relies on their data and online services. From individuals to small businesses, to large enterprises, the global impact of ransomware continues to grow, with no end in sight. Prepare now to avoid significant cost and ensure business continuity if a ransomware strikes you.